problem-based-packs.insecure-transport.go-stdlib.sling-http-request.sling-http-request
semgrepAuthor
6,272
Download Count*
License
Checks for requests to http (unencrypted) sites using gorequest, a popular HTTP client library. This is dangerous because it could result in plaintext PII being passed around the network.
Run Locally
Run in CI
Defintion
rules:
- id: sling-http-request
message: Checks for requests to http (unencrypted) sites using gorequest, a
popular HTTP client library. This is dangerous because it could result in
plaintext PII being passed around the network.
severity: WARNING
metadata:
likelihood: MEDIUM
impact: MEDIUM
confidence: MEDIUM
category: security
cwe: "CWE-319: Cleartext Transmission of Sensitive Information"
owasp: A03:2017 - Sensitive Data Exposure
references:
- https://godoc.org/github.com/dghubble/sling#Sling.Add
- https://github.com/dghubble/sling
subcategory:
- vuln
technology:
- sling
vulnerability: Insecure Transport
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Mishandled Sensitive Information
languages:
- go
pattern-either:
- patterns:
- pattern-inside: |
$REQ = sling.New()
...
$RES = ...
- pattern: |
$REQ.$FUNC("=~/[hH][tT][tT][pP]://.*/")
- metavariable-regex:
metavariable: $FUNC
regex: (Get|Post|Delete|Head|Put|Options|Patch|Base|Connect)
- patterns:
- pattern: sling.New().$FUNC("=~/[hH][tT][tT][pP]://.*/")
- metavariable-regex:
metavariable: $FUNC
regex: (Get|Post|Delete|Head|Put|Options|Patch|Base|Connect)
- patterns:
- pattern-inside: |
$REQ = sling.New()
...
$URL = "=~/[hH][tT][tT][pP]://.*/"
...
$RES = ...
- pattern: |
$REQ.$FUNC($URL)
- metavariable-regex:
metavariable: $FUNC
regex: (Get|Post|Delete|Head|Put|Options|Patch|Base|Connect)
- patterns:
- pattern-inside: |
$URL = "=~/[hH][tT][tT][pP]://.*/"
...
$RES = ...
- pattern: |
sling.New().$FUNC($URL)
- metavariable-regex:
metavariable: $FUNC
regex: (Get|Post|Delete|Head|Put|Options|Patch|Base|Connect)
Examples
sling-http-request.go
func bad1() {
params := &Params{Count: 5}
// ruleid: sling-http-request
req, err := sling.New().Get("http://example.com").QueryStruct(params).Request()
client.Do(req)
}
func bad2() {
const twitterApi = "http://api.twitter.com/1.1/"
// ruleid: sling-http-request
base := sling.New().Base(twitterApi).Client(authClient)
}
func bad3() {
params := &Params{Count: 5}
sling = sling.New()
// ruleid: sling-http-request
req, err := sling.Post("http://example.com").QueryStruct(params).Request()
client.Do(req)
}
func bad4() {
s = sling.New()
const twitterApi = "http://api.twitter.com/1.1/"
// ruleid: sling-http-request
base := s.Delete(twitterApi).Client(authClient)
}
func ok1() {
params := &Params{Count: 5}
// ok: sling-http-request
req, err := sling.New().Get("https://example.com").QueryStruct(params).Request()
client.Do(req)
}
func ok2() {
const twitterApi = "https://api.twitter.com/1.1/"
// ok: sling-http-request
base := sling.New().Base(twitterApi).Client(authClient)
}
func ok3() {
params := &Params{Count: 5}
// ok: sling-http-request
sling = sling.New()
req, err := sling.Post("https://example.com").QueryStruct(params).Request()
client.Do(req)
}
func ok4() {
s = sling.New()
const twitterApi = "https://api.twitter.com/1.1/"
// ok: sling-http-request
base := s.Delete(twitterApi).Client(authClient)
}
func ok5() {
// Github Issue (abbreviated)
type Issue struct {
Title string `json:"title"`
Body string `json:"body"`
}
issues := new([]Issue)
// ok: sling-http-request
resp, err := githubBase.New().Get(path).QueryStruct(params).ReceiveSuccess(issues)
fmt.Println(issues, resp, err)
}
Short Link: https://sg.run/BkZA